Last month, we covered how legacy GRC products and new integrated risk management (IRM) solutions can co-exist and in fact compliment each other. That said, in order for them to compliment we have to acknowledge that there is a distinct difference between the modular GRC products and IRM solutions. However, what we saw before, during, and after the RSA Conference is the GRC solutions calling themselves IRM solutions with little or no product changes. IRM technology represents a fundamental change to the approach to the product and is not simply a problem for the marketing team.
As we've said, in enterprise organizations, there is room for both but we believe that customers of these GRC platforms as well as those considering becoming customers, need to know the distinction and how to spot the false premises that GRC is telling the market. In this second post from this series on the lies that GRC is telling you we'll dive into the first lie: good things come but only to those who wait.
Good things come to those who wait: There’s a direct correlation between time to implement and amount of value
Every technology company has had to debate between developing high-value configuration, or allowing for heavy customer-facing customization when building a product. Many in the GRC space opted to have users customize whatever they want with intricate linkages between assets, controls, risks, scoring mechanisms, and business processes. More customization options were added over the years, so much so that even those who bought described implementation as something that you must “know what you’re getting into”.
We’ve read through every Gartner and Forrester report, every review from those using legacy GRC for their security program, and spoke to our partner, Gartner, and other analyst firms about the subject. The consensus is that it takes at least 3 months, if not more, to simply implement the technology after buying it. Most of the time, these jobs are completed by a third party instead of the organization itself or the vendor. The more popular industry leaders average a 6-12 month, and some even 12+ months, implementation time in order to be used by the customer.
When GRC buyers choose a product that is supposed to make their cybersecurity program more efficient and effective, they shouldn't have to wait months to use it. As mentioned before, legacy GRC serves a purpose, but getting immediate time-to-value is not a common thread among these players. In the era of emerging integrated risk management, information security organizations should be able to access and utilize intricate linkages between assets, controls, risks, scoring mechanisms, and business processes without heavy customization-- instead, making as many of these functionalities out-of-the-box as possible, with agile customer-facing configuration, is the means to the fastest time-to-value in the future state of integrated risk management. A longer implementation time does not equate to more value, as the future of GRC (IRM) is leaning towards more rapidly deployed capabilities that bring just as much, if not more.
The Sunk Cost Fallacy Of GRC
Project managers are no strangers to the sunk cost fallacy - the idea that an activity, project, or product is valued at the amount of resources invested even if it is not worth that investment. In the case of risk and compliance solutions, GRC blogs have cultivated the idea that an astronomical price tag and an average implementation time of six months increases the value of the product itself. It doesn't. In a time when artificial intelligence and machine learning powered products configure themselves out of the box (in ways that would push the upper echelons of the GRC implementation time we've seen thus far), the idea of a long time to value is only hurting CISO's and their teams.
This post is part two of CyberSaint's series diving into the false dichotomies, incorrect premises, and potential falsehoods that the GRC market has told cyber professionals.
Read the full report on the Three Lies That GRC Is Telling You here.